Technical Documentation

Example: Blocking TFTP Access

Block Trivial File Transfer Protocol (TFTP) access, logging any attempts to establish TFTP connections:

[edit]firewall {family inet {filter tftp-access-control {term one {from {protocol udp;port tftp;}then {log;discard;}}}}}

By default, to decrease vulnerability to denial-of-service (DoS) attacks, the JUNOS Software filters and discards Dynamic Host Configuration Protocol (DHCP) or Bootstrap Protocol (BOOTP) packets that have a source address of 0.0.0.0 and a destination address of 255.255.255.255. This default filter is known as a unicast RPF check. However, some vendors’ equipment automatically accepts these packets. To interoperate with other vendors' equipment, you can configure a filter that checks for both these addresses and overrides the default RPF-check filter by accepting these packets.


Published: 2010-04-15